Month: August 2017

Eclipse Viewing

The initial forecasts this morning called for clouds and thunderstorms during the eclipse, but the clouds moved off in time and we had great visibility. Glad I picked up some of the solar filter lens things – people I knew who were using their cell phones were disappointed. Don’t know if my phone camera is particularly good or particularly bad, but I was able to catch the moon’s shadow as it moved across the sun. Kind of cool, but it is nothing compared to the guy who got the ISS in front of the sun.

Robo-Anya in Eclipse Viewing Mode

And I managed to get a few shots of the moon shadowing the sun

Sendmail

 

Sendmail is an OpenSource SMTP mail transfer agent implemented on many different Unix platforms. The original version of sendmail, written in the early 1980’s, was written by Eric Allman at Berkeley.  The release code base of sendmail is version 8.  The packages and source can be found at http://www.sendmail.org.

 

Sendmail in its current iteration is configured by many individual files.  All of the configuration options available within the product are well documented at http://www.sendmail.org/doc and http://www.sendmail.org/m4/readme.html.

Future Releases:

There is not a code base 9, but rather SendmailX which has now become MeTA1 (http://www.meta1.org/).  MeTA1 does not include a local delivery agent or mail submission program – it is intended as a conduit for email only.  It will use a single configuration file with a radically different syntax.  Currently, the summer of 2007, the code is in a pre-alpha release.  So, it will be a while.

 

Practical Information:

We back the sendmail configuration files up nightly to NEOHTWNLX810 (/home/NDSSupport/Backups/).  You can restore the files from /etc/mail (or /opt/pmx4/sendmail/etc/mail as appropriate) to a rebuilt server and return the server’s complete configuration.

 

Mail Queues:

Sendmail stores unsent relayed messages in /var/spool/mqueue.  Unsent locally submitted messages will first be in /var/spool/clientmqueue.  Within the mqueue folder, each message has two separate files, one for the header information and a second for the message data.  To count the number of messages queued for delivery, then, you need to divide the number of files within /var/spool/mqueue in half:

echo `ls -al /var/spool/mqueue | wc -l` / 2 | bc

 

New Email Domain Configuration:

We have all of the resources required to establish a new email domain.  (Registration may well be required for a new DNS zone).  To establish a new publicly functional email domain from an existing DNS zone:

  • Create MX records within the DNS zone.  The 10 weight record should point to neohtwnlx821.windstream.com. and the 20 weight record should point to neohtwnlx823.windstream.com.  It is important in these MX records to include the period trailing the hostname
  • On NEOHTWNLX821 and NEOHTWNLX823, edit /etc/mail/access to include the new domain with RELAY
  • On NEOHTWNLX821 and NEOHTWNLX823, edit /etc/mail/mailertable to direct mail to the appropriate destination (unix host, Exchange server, etc)
    • The destination must be configured to accept email from LX821/LX823
  • If internal mail routing needs to be established, an SMTP connector needs to be added to the Exchange organization.  Additionally, mailertable entries should be created on at minimum LX825, LX830, LX833, and LX828
  • If mail should be delivered to mailboxes in the Exchange organization, the new domain should be added to the “Additional Mail Domains” recipient policy.  In this case, the SMTP connector would not be created with Exchange.

 

Sendmail Troubleshooting:

To display information about queued messages:

sendmail –bp

Or to obtain analysis of the domains and addresses within the mail queue, use the perl scripts located in /root/bin:

frombydomain.pl                       Ascending count of sender domains

frombyemail.pl                          Ascending count of sender email addresses

tobydomain.pl                           Ascending count of recipient domains

tobyemail.pl                              Ascending count of recipient email addresses

 

To retry the queues messages with output to the terminal:

sendmail –v –q –C/etc/mail/sendmail.cf &

 

To retry a specific recipient domain’s queue:

sendmail –v –qRthedomain.com –C/etc/mail/sendmail.cf &

Or a specific sender domain’s queue:

sendmail –v –qSthedomain.com –C/etc/mail/sendmail.cf &

 

To retry a specific message ID:

sendmail –v –qImsgidgoeshere –C/etc/mail/sendmail.cf &

 

Add “-d8.11” to the queue retry commands to output debug level diagnostic information to the terminal.  E.G.

sendmail –v -qIl6UJtCE3021014 –C/etc/mail/sendmail.cf –d 8.11

 

Alternative Facts

The Trump administration’s fabrications of current events, euphemistically coined ‘alternative facts’ by Conway, have migrated into fabrications about history. General Pershing did not shoot Muslims using bullets dipped in pigs blood.

Had Pershing done so, this comment would be much the same as decreeing that American internment camps had the right idea (yeah, Trump’s said that too) – whilst one cannot argue the historical validity of the event, one most certainly can admit that the country made a grave mistake.

Linux Authentication Over Key Exchange

On Linux, you can log in without logging in (essential for non-interactive processes that run commands on remote hosts, but also nice accessing hosts when you get paged at 2AM to look into an issue). The first thing you need is a key. You can use the openssh installation on a server to generate the key:

ssh-keygen -t rsa -b 2048

You’ll get an id_rsa and id_rsa.pub. Your private key (keep it somewhere safe) is in id_rsa; your public key is in id_rsa.pub.

Alternately you can run puttygen.exe (www.chiark.greenend.org.uk/~sgtatham/putty/download.html) for a GUI key generator. Click the “Generate” button & then move the mouse around over the blank area of the PuttyGen window – your coordinates are used as random data for the key seed.

Once the key is generated, click “save public key” and store it somewhere safe. Click “save private key” and store it somewhere safe. Copy the public key at the top of the window. You don’t have to – you can drop the newline characters from the saved public key file, but this saves time.

Either way, you’ve got a base 64 encoded public and private key.

** Key recovery isn’t a big deal – you can always generate a new public/private key pair and set it up. Time consuming if your public key is all over the place, but it isn’t a data loss kind if thing.

*** Anyone who gets your private key can log in as you anywhere you set up this key exchange. You can add a passphrase to your key for additional security.

 

Go to whatever box you want to log into using the key exchange. ** I have a key exchange set up from my Windows boxes (laptop, terminal server) to myid@jumphost. I then have a different key used from myid@jumphost to all of our other boxes. This allows me to change my on laptop key (i.e. the one more likely to get lost) out more frequently without having to get a new public key on dozens of hosts.

Once you are on the box you want as the ID you want (you can do a key exchange to any id for which you know the password – so you can log into serviceaccount@hostname or otherserviceaccount@otherhostname and do this, or you can be logged in as yourid@hostname). Run “cd ~/.ssh” – if it says no such file, run “ssh localhost” – it will ask you if you want to store the server public key – say yes, that creates the .ssh folder with proper permissions. Ctrl-c and cd ~/.ssh again. Now determine if there is an authorized_keys, authorized_keys2, or both. Vim the one you find – if there aren’t any, try “vi authorized_keys” first (authorized_keys2 on RedHat/Fedora, long story) – go into edit mode and paste in the public key line we copied earlier. Save the file. If you get an error like “The server refused our key”, you can “mv authorized_keys authorized_keys2” (or “mv authorized_keys2 authorized_keys” if you started with keys2).

In putty, load in your configuration for whatever host we just pasted the public key into. Under Connection -> Data, find the “Auto-login username” section. Put in whatever ID you used when you added the public key (my use case is me e0082643 … but if you were using ldapAdmin@hostname, you would put ldapAdmin in here)

Then under Connection ->SSH->Auth, find the “private key file for authentication” section and put in your private key location. Go back to the Session section and save the configuration changes.

Now connect & you shouldn’t need to supply a password (or you only need to supply your key passphrase).

** OpenSSH automatically uses the id_dsa or id_rsa (private keys) from ~/.ssh/ when you attempt to authenticate to other hosts. If the destination id@host has your public key in its ~/.ssh/authorized_keys (or ~/.ssh/authorized_keys2), then you’ll get magic key based authentication too. Caveat: on the source Linux host, your private key cannot be group or other readable. Run “chmod go-rw ~/.ssh/id_rsa” to ensure it is sufficiently private, otherwise auth will fail due to permissive access.

** Once you have a key exchange in place, it is fairly easy to update your key. Create a new one but do not yet replace your old one. You can make a shell script that updates all remote hosts with your new public key – per host, run:

ssh user@remoteHost “echo \”`cat ~/.ssh/new_id_rsa.pub`\” >> ~/.ssh/authorized_keys”

Once the new public key info has been pushed out, test it using “ssh -i new_id_rsa user@remoteHost” and verify the key authentication works. Once confirmed, rename your old id_rsa and id_rsa.pub files to something else. Then rename your new_id_rsa to id_rsa and new_id_rsa.pub to id_rsa.pub

It’s chess *for girls*!

Sometime in the late 80’s, I saw a “Chess … For Girls!” game. It was exactly like every other chess set in the world, except it was pink and sparkly. I remember wondering how exactly that product development meeting went down. “Well, we don’t want too many people to want our product … so how can we alienate a good chunk of customers?”. No boy is going to want “Chess … For Girls!” even if they’d like a sparkly pink chess set. Some subset of parents will refuse to purchase it because it’s offensive targeting. It isn’t like derivatives of traditional chess are unique – they could have done anything with the marketing. Sets featuring Stan Lee’s superheros aren’t marketed as “Chess … For Boys!”. They could have just called it Chess. They could have made a few different versions featuring glow in the dark pieces, sparkles, and furry animals. But, no … they first imply that other chess sets aren’t for girls. And that the way you can identify a product as being “for girls” is to look for pink sparkles.

I thought we’d moved on from such marketing fails – hell, SNL made a spoof commercial with the exact premise. But today we saw https://jewelbots.com/ … so you can “code like a girl”. Umm, hi! I code just like most other programmers – with a keyboard and using a syntax appropriate for the language of choice. Like girl chess or that Google engineer’s terribly presented suggestion for diversity programs, the sexism isn’t even needed. The product is billed as 21st century friendship bracelets. Bands with what I assume are little Arduino computers in a round plastic thing that makes the whole unit look a little bit like a watch. The plastic housing has a flower design on it. Make an array of inter-changeable band options, a bunch of different plastic cases … and just call them 21st century friendship bracelets. You assign colours to registered friends, and the bracelet glows that colour when your friend is nearby. Use Bluetooth to send secret messages to friends. It’s a cool product  for either gender. And, hey parents … your kids are learning valuable programming skills too.

“Defending Statues”

Something to remember amid the resurgence of Klan and NeoNazi rallies — Robert E Lee, patron saint of the white Southern male “lost cause” literally said he did not support a monument to ‘Stonewall’ Jackson but valued unifying the country and healing the wounds of the war.

 

http://leefamilyarchive.org/papers/letters/transcripts-UVA/v076.html
Sender: Robert E. Lee
Recipient: Thoms L. Rosser

Lexington VA 13 Dec – r 1866
My dear Genl
I have considered the questions in your letter of the 8th Inst: & am unable to advise as to the efficacy of the scheme proposed for the accomplishment of the object in view. That can be better determined by those more conversant with similar plans than I am.
As regards the erection of such a monument as is contemplated; my conviction is, that however grateful it would be to the feelings of the South, the attempt in the present condition of the Country, would have the effect of retarding, instead of accelerating its accomplishment; & of continuing, if not adding to, the difficulties under which the Southern people labour. All I think that can now be done, is to aid our noble & generous women in their efforts to protect the graves & mark the last resting places of those who have fallen, & wait for better times.
I am very glad to hear of your comfortable establishment in Baltimore & that Mrs. Rosser is with you. Please present to her my warm regards. It would give me great pleasure to meet you both anywhere, & especially at times of leisure in the mountains of Virginia; but such times look too distant for me to contemplate, much less for me now to make arrangements for …

 

Edited to add “Stonewall” Jackson has some great grand children to agree the monuments should come down:

Dear Richmond Mayor Levar Stoney and members of the Monument Avenue Commission,

We are native Richmonders and also the great-great-grandsons of Stonewall Jackson. As two of the closest living relatives to Stonewall, we are writing today to ask for the removal of his statue, as well as the removal of all Confederate statues from Monument Avenue. They are overt symbols of racism and white supremacy, and the time is long overdue for them to depart from public display. Overnight, Baltimore has seen fit to take this action. Richmond should, too.

In making this request, we wish to express our respect and admiration for Mayor Stoney’s leadership while also strongly disagreeing with his claim that “removal of symbols does [nothing] for telling the actual truth [nor] changes the state and culture of racism in this country today.” In our view, the removal of the Jackson statue and others will necessarily further difficult conversations about racial justice. It will begin to tell the truth of us all coming to our senses.

Last weekend, Charlottesville showed us unequivocally that Confederate statues offer pre-existing iconography for racists. The people who descended on Charlottesville last weekend were there to make a naked show of force for white supremacy. To them, the Robert E. Lee statue is a clear symbol of their hateful ideology. The Confederate statues on Monument Avenue are, too—especially Jackson, who faces north, supposedly as if to continue the fight.

We are writing to say that we understand justice very differently from our grandfather’s grandfather, and we wish to make it clear his statue does not represent us.

Through our upbringing and education, we have learned much about Stonewall Jackson. We have learned about his reluctance to fight and his teaching of Sunday School to enslaved peoples in Lexington, Virginia, a potentially criminal activity at the time. We have learned how thoughtful and loving he was toward his family. But we cannot ignore his decision to own slaves, his decision to go to war for the Confederacy, and, ultimately, the fact that he was a white man fighting on the side of white supremacy.

While we are not ashamed of our great-great-grandfather, we are ashamed to benefit from white supremacy while our black family and friends suffer. We are ashamed of the monument.

In fact, instead of lauding Jackson’s violence, we choose to celebrate Stonewall’s sister—our great-great-grandaunt—Laura Jackson Arnold. As an adult Laura became a staunch Unionist and abolitionist. Though she and Stonewall were incredibly close through childhood, she never spoke to Stonewall after his decision to support the Confederacy. We choose to stand on the right side of history with Laura Jackson Arnold.

We are ashamed to benefit from white supremacy while our black family and friends suffer. We are ashamed of the monument.

Confederate monuments like the Jackson statue were never intended as benign symbols. Rather, they were the clearly articulated artwork of white supremacy. Among many examples, we can see this plainly if we look at the dedication of a Confederate statue at the University of North Carolina, in which a speaker proclaimed that the Confederate soldier “saved the very life of the Anglo-Saxon race in the South.” Disturbingly, he went on to recount a tale of performing the “pleasing duty” of “horse whipping” a black woman in front of federal soldiers. All over the South, this grotesque message is conveyed by similar monuments. As importantly, this message is clear to today’s avowed white supremacists.

There is also historical evidence that the statues on Monument Avenue were rejected by black Richmonders at the time of their construction. In the 1870s, John Mitchell, a black city councilman, called the monuments a tribute to “blood and treason” and voiced strong opposition to the use of public funds for building them. Speaking about the Lee Memorial, he vowed that there would come a time when African Americans would “be there to take it down.”

Ongoing racial disparities in incarceration, educational attainment, police brutality, hiring practices, access to health care, and, perhaps most starkly, wealth, make it clear that these monuments do not stand somehow outside of history. Racism and white supremacy, which undoubtedly continue today, are neither natural nor inevitable. Rather, they were created in order to justify the unjustifiable, in particular slavery.

One thing that bonds our extended family, besides our common ancestor, is that many have worked, often as clergy and as educators, for justice in their communities. While we do not purport to speak for all of Stonewall’s kin, our sense of justice leads us to believe that removing the Stonewall statue and other monuments should be part of a larger project of actively mending the racial disparities that hundreds of years of white supremacy have wrought. We hope other descendants of Confederate generals will stand with us.

As cities all over the South are realizing now, we are not in need of added context. We are in need of a new context—one in which the statues have been taken down.

Respectfully,
William Jackson Christian
Warren Edmund Christian
Great-great-grandsons of Thomas Jonathan “Stonewall” Jackson

Role Based Provisioning

I had done a good bit of data mining research to build out an role based provisioning analysis engine. A decade ago, at University. I had a friend in high-school who had just completed her PhD project on using technology to enhance education in K-12 education. She performed paid consulting services to implement a technology approach package in school systems. Except for the one which employed her — even though she offered her package and guidance for free as part of her employment. I remember thinking that seemed a bit insulting. Here all sorts of people are handing over taxpayer/tuition money for your expertise, but the people who employ you won’t even take it for free.

Well, my company was never much for role based provisioning. Even algorithms I’d built as part of my own research projects. Ohhh, they were all for it in theory. Get the data mining in place, figure out what everyone has, build the templates. Now who signs off on all customer service reps getting access to the billing system and the entire corporate finance group getting access to the financial record system? Anyone? Hello?

Because, in the real world, some finance flunky is going to embezzle some money. And some customer service kid is going to credit back his friends accounts. At which point who said so-and-so could access such-and-such. And no one wants their name associated with that decision. Which makes sense — the individual manager hired the person. Trusted the person. Is responsible for ensuring that trust was warranted.

I am proposing a new approach to role based provisioning. We retain the data mining component. We have access templates built on that data. But we use the template to form a provisioning request. On hire or job transfer, the manager receives a notice to go review the access request form. They can add/remove items at will. They can click to compare access with another specific individual on their team. But before any of this access is granted they click the “I say this person can have this access” button. Voila, no single person responsible for all electronic malfeasance within the company.

The Evidence

A sufficient number of people don’t believe the Confederacy was outright wrong or these statues wouldn’t be here. Similarly, a sufficient number of people don’t think the treatment of native Americans was wrong enough to make “the redskins” or “chief wahoo” a bad marketing idea. Not saying these people are correct, and evidently the number of people defending the Confederacy is shrinking or we wouldn’t have protests over statue removal. But I couldn’t imagine finding any significant percentage of the American or European populations who were willing to defend Hitler or Nazism. Given the widespread condemnation of the Nazi party, yeah expression of Nazism is illegal in Germany. Fifteen years ago, when my company had a branch in Germany, it was even illegal to assign numbers to people because it was too much like camp serial numbers (I discovered when working with some programmers to tweak a friend function because all of our employees were tracked by an internally maintained employee ID and we had to do something special for Germany to avoid running afoul of the law.).

While I don’t see a lot of people overtly claiming that the Confederacy was right about slavery, viewing the proximal (slavery) and distal (states rights) causes of the Civil War as distinct leaves room to say the Confederate states *were* right that the federal government was usurping power that should have been held by the states. Which provides an acceptable spin to Confederate monuments … and we end up mired in this red herring argument about protecting states rights and honoring those who fought to defend states rights (not to mention we need ‘the real context of these monument’ articles). I lived in the South for a while, and encountered a number of neo-Confederates. Asked them to tell me *what* rights of the state were contested — not just the principal of a state having rights beyond federal reach. That’s specifically written in the Constitution. Never got a good answer beyond “if they could tell us not to do X today, they could tell us not to do Y tomorrow.” because the right they were fighting for? The right to consider human beings as property based on a physical characteristic.

It’s different when it’s your own …

U.S. Attorney Channing Phillips, in a motion to compel an ISP to turn over 1.3 million IP addresses that visited a Resistance web site:

“That website was used in the development, planning, advertisement and organization of a violent riot that occurred in Washington, D.C. on January 20, 2017”

Charlottesville is under a different district, thus different people involved. But anyone think the DoJ is pressuring a bunch of alt-right, Klan, and neo-Nazi sites to turn over their visitor IPs, registered user information, draft blog posts, and so on?

Freedom From Consequences Is Not A Right

I think this is one of the most important tenants of free speech — you are free to say whatever awful thing you want (and as much as I hate what you are saying, I *do* support your right to say it). You have the right to PEACEFUL assembly to advocate those awful views (but opposition has the same right to peaceful assembly to protest your beliefs, and no one has the right to violent assembly). But you are NOT free from consequences. You want to post a bunch of sexist, racist, hateful stuff online or attend hateful public rallies, yeah you can get fired. Or ostracized. Preferably both.
 
It’s probably too much to hope that these people will experience negative consequences and rethink their beliefs. More likely being fired will increase their hatred, bigotry, and belief that political correctness (yeah, evidently *not* being a white supremacist nazi is no longer an obvious state and requires political correctness) has just gone too far.
 
Seriously, though, if you are at a rally and cover your face to avoid being recognized, rethink your attendance. I’ve been at a lot of protests and rallies, and I was proud to be seen.